Federation Security Services Guide › Identify Service Providers for a SAML 2.0 Identity Provider › Set Up Links at the IdP or SP to Initiate Single Sign-on › Service Provider-initiated SSO (POST or artifact binding) › Query Parameter Processing by a SiteMinder IdP

Query Parameter Processing by a SiteMinder IdP

If single sign-on is initiated by a Service Provider, that Service Provider may include a ForceAuthn or IsPassive query parameter in an AuthnRequest message.

When a Service Provider includes ForceAuthn or IsPassive in the AuthnRequest, a SiteMinder Identity Provider handles these query parameters as follows:

ForceAuthn Handling

When a Service Provider includes ForceAuthn=True in the AuthnRequest, a SiteMinder Identity Provider does the following:

• If ForceAuthn=True in the AuthnRequest message, and a SiteMinder session exists, the Identity Provider disregards the existing session and re-challenges the user for credentials. If the user successfully authenticates, a new session is established.
• If ForceAuthn=True in the AuthnRequest message and there is no SiteMinder session, the SiteMinder Identity Provider challenges the user for their credentials. If the user successfully authenticates, a session is established.

IsPassive Handling

When a Service Provider includes IsPassive in the AuthnRequest and it cannot be honored by the Identity Provider, one of the following SAML responses is sent back to the Service Provider:

• If IsPassive=True in the AuthnRequest message and there is no SiteMinder session, a SiteMinder Identity Provider returns a SAML response that includes an error message because SiteMinder requires a session.
• If IsPassive=True in the AuthnRequest message and there is a SiteMinder session, the SiteMinder Identity Provider returns the assertion.
• If IsPassive and ForceAuthn are in the AuthnRequest message and both are set to True, the SiteMinder Identity Provider returns an error because this is an invalid request. IsPassive and ForceAuthn are mutually exclusive.